On Thu, Jan 02, 2025 at 01:08:38PM -0500, Steve Grubb wrote: > * Verify that audit events exist for user and group creation: > ausearch --start recent -i -m > 'ADD_USER,USER_MGMT,USER_CHAUTHTOK,ROLE_ASSIGN,ROLE_REMOVE,DEL_USER,ADD_GROUP,GRP_MGMT,GRP_CHAUTHTOK,DEL_GROUP' > * Remove the package and verify audit events exist for account and group > deletion (see above ausearch command). I submitted https://github.com/systemd/systemd/pull/35957 to add audit log generation to systemd-sysusers. This should make systemd-sysusers match useradd/groupadd from shadow-utils wrt. to audit logs. Actually systemd-sysusers will probably not be used, since rpm rather calls /usr/lib/rpm/sysusers.sh, which uses useradd/groupadd. But it's probably a desirable change in any case, and it'll make things easier if we decide to use systemd-sysusers, either by default or as a fallback. I get something like this: $ sudo build/systemd-sysusers --inline 'u foo5' ... type=ADD_GROUP msg=audit(01/10/2025 16:03:15.451:3907) : pid=3846607 uid=root auid=zbyszek ses=2 msg='op=adding group acct=foo5 exe=systemd-sysusers hostname=x1c addr=? terminal=pts/8 res=success' type=ADD_USER msg=audit(01/10/2025 16:03:15.457:3908) : pid=3846607 uid=root auid=zbyszek ses=2 msg='op=adding user acct=foo5 exe=systemd-sysusers hostname=x1c addr=? terminal=pts/8 res=success' As noted in the other messages in the thread, rpm packages generally do not remote users. systemd-sysusers has no functionality to remove users or groups. Thus we only care about additions. Zbyszek -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
